From 2ee4e01597d46fcbb815242a1b438463660b13a8 Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Wed, 20 Nov 2024 18:56:08 +0200 Subject: [PATCH 1/3] Added Itay Grudev to the default list of CODEOWNERS (#444) Component governance document: https://github.com/cloudnative-pg/governance/blob/main/COMPONENT-OWNERS.md#operator-chart Signed-off-by: Itay Grudev --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index f500752a4..bf47ef5aa 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,6 +2,6 @@ # responsible for code in a repository. For details, please refer to # https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/about-code-owners -* @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd +* @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd @itay-grudev /.github @fcanovai @gbartolini @leonardoce @mnencia @phisco @sxd @itay-grudev /charts/cluster @itay-grudev From 7b388badfd86f4c962d3421cf2f551febcccddcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niccol=C3=B2=20Fei?= Date: Thu, 28 Nov 2024 13:12:27 +0100 Subject: [PATCH 2/3] feat: support cnpg operator namespace-restricted installation (#430) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a way to deploy the operator in single-namespace mode, restricting the operator's capabilities to solely the namespace in which it has been installed. Closes #435 Co-authored-by: Leonardo Cecchi Co-authored-by: Jaime Silvela Co-authored-by: Jonathan Gonzalez V. Signed-off-by: Niccolò Fei --- .github/actions/deploy-cluster/action.yml | 27 ++ .github/actions/deploy-operator/action.yml | 15 +- .../actions/verify-cluster-ready/action.yml | 12 +- .github/workflows/tests-operator.yml | 58 +++- README.md | 24 ++ charts/cloudnative-pg/README.md | 3 +- charts/cloudnative-pg/templates/NOTES.txt | 7 +- charts/cloudnative-pg/templates/_helpers.tpl | 222 +++++++++++++++ charts/cloudnative-pg/templates/config.yaml | 12 + .../cloudnative-pg/templates/deployment.yaml | 4 + .../cloudnative-pg/templates/podmonitor.yaml | 15 ++ charts/cloudnative-pg/templates/rbac.yaml | 252 ++++-------------- charts/cloudnative-pg/values.schema.json | 3 + charts/cloudnative-pg/values.yaml | 4 + 14 files changed, 436 insertions(+), 222 deletions(-) create mode 100644 .github/actions/deploy-cluster/action.yml diff --git a/.github/actions/deploy-cluster/action.yml b/.github/actions/deploy-cluster/action.yml new file mode 100644 index 000000000..4feaa026b --- /dev/null +++ b/.github/actions/deploy-cluster/action.yml @@ -0,0 +1,27 @@ +name: Deploy a CNPG Cluster +description: Deploys a CNPG Cluster +inputs: + namespace: + description: 'The name of the namespace where the Cluster will be deployed' + required: false + default: 'default' +runs: + using: composite + steps: + - name: Deploy a cluster + shell: bash + env: + NAMESPACE: ${{ inputs.namespace }} + run: | + cat <&1 >/dev/null | grep 'No resources found' diff --git a/README.md b/README.md index dda335965..132478a4b 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,30 @@ helm upgrade --install cnpg \ cnpg/cloudnative-pg ``` +#### Single namespace installation + +It is possible to limit the operator's capabilities to solely the namespace in +which it has been installed. With this restriction, the cluster-level +permissions required by the operator will be substantially reduced, and +the security profile of the installation will be enhanced. + +You can install the operator in single-namespace mode by setting the +`config.clusterWide` flag to false, as in the following example: + +```console +helm upgrade --install cnpg \ + --namespace cnpg-system \ + --create-namespace \ + --set config.clusterWide=false \ + cnpg/cloudnative-pg +``` + +**IMPORTANT**: the single-namespace installation mode can't coexist +with the cluster-wide operator. Otherwise there would be collisions when +managing the resources in the namespace watched by the single-namespace +operator. +It is up to the user to ensure there is no collision between operators. + Refer to the [Operator Chart documentation](charts/cloudnative-pg/README.md) for advanced configuration and monitoring. ## Cluster chart diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md index f78461cfc..6194c9d76 100644 --- a/charts/cloudnative-pg/README.md +++ b/charts/cloudnative-pg/README.md @@ -30,7 +30,8 @@ CloudNativePG Operator Helm Chart | additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example: - name: RELEASE_NAME value: "{{ .Release.Name }}" - name: MY_VAR value: "mySpecialKey" | | affinity | object | `{}` | Affinity for the operator to be installed. | | commonAnnotations | object | `{}` | Annotations to be added to all other resources. | -| config | object | `{"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. | +| config | object | `{"clusterWide":true,"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. | +| config.clusterWide | bool | `true` | This option determines if the operator is responsible for observing events across the entire Kubernetes cluster or if its focus should be narrowed down to the specific namespace within which it has been deployed. | | config.create | bool | `true` | Specifies whether the secret should be created. | | config.data | object | `{}` | The content of the configmap/secret, see https://cloudnative-pg.io/documentation/current/operator_conf/#available-options for all the available options. | | config.name | string | `"cnpg-controller-manager-config"` | The name of the configmap/secret to use. | diff --git a/charts/cloudnative-pg/templates/NOTES.txt b/charts/cloudnative-pg/templates/NOTES.txt index 0f79fe0dc..d0b65b9b4 100644 --- a/charts/cloudnative-pg/templates/NOTES.txt +++ b/charts/cloudnative-pg/templates/NOTES.txt @@ -1,6 +1,6 @@ CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}". -You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows: +You can now create a PostgreSQL cluster with 3 nodes as follows: cat < Date: Sat, 7 Dec 2024 16:16:03 +0200 Subject: [PATCH 3/3] chore(deps): update actions/checkout action to v4.2.2 (#453) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/tests-operator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests-operator.yml b/.github/workflows/tests-operator.yml index 6c4ec9ebb..17d2abb90 100644 --- a/.github/workflows/tests-operator.yml +++ b/.github/workflows/tests-operator.yml @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0